methodology / Security / #95
Certificate validity-period brevity
#95 · Recommended · Web Quality · weighted · Security · impl todo · source Leaf certificate notBefore and notAfter timestamps, parsed from ASN.1. Lifetime is computed as (notAfter − notBefore) in days.
Web Quality factor
This factor is part of Web Quality — the weighted 0..100 score that sits above Web Standards. Its weight depends on what kind of site is being measured. Web Standards items take priority; this factor only enters the score once Web Standards passes.
No matrix row defined yet — this factor falls back to a neutral weight of 1.0 across every site type until the methodology is tuned.
What this means for your business
Short-lived certificates that auto-renew are the new normal — they prove your renewal automation works and limit the damage if a key ever leaks. Multi-year certificates from old paid vendors are increasingly seen as a smell.
Plain title: Your padlock renews on a healthy schedule
Want the long version? Read the full explainer with examples →
What we measure
Shorter cert lifetimes are stronger operational hygiene — they force automation, narrow the blast radius of a key compromise, and prove that revocation actually works. ACME/Let's Encrypt issues 90-day certs by default. Apple and Google are pushing the CA/Browser Forum toward a 47-day max by 2027. SSL Labs grades for proximity to expiry; we grade for ISSUED LIFETIME, which is the real modernity signal.
How to improve your score
Switch to an ACME-based issuer (Let's Encrypt, ZeroSSL, Buypass, Google Trust Services ACME) — they all default to 90-day certs with automated renewal. If you're on a multi-year cert from a paid CA, downgrade to a 1-year (the longest the CA/B Forum allows since 2020) and ideally migrate to ACME. For very-short-lived setups (47-day target), use ACME with daily renewal cron — cheap insurance against a single missed renewal.
Facts
Implementation notes
pass=100: lifetime ≤ 90 days (ACME-class hygiene). warn=60: lifetime ≤ 200 days (typical 6-month cert). warn=30: lifetime ≤ 397 days (CA/B Forum hard maximum). fail=0: lifetime > 397 days (over the maximum — should never be issued by a publicly-trusted CA today).
Scoring
Scoring formulas are versioned with the methodology. The current method maps raw measurements to pass, warn, fail. Factor weights determine how much each contributes to the composite — see the methodology index for the full table.
Version history
| Version | Change | Date |
|---|---|---|
| v0.1 | Factor introduced. Status: proposed. Scoring impl: todo. | 2026-04-25 |